Cryptographers have cracked the encryption schemes used in a variety of satellite phones, a feat that makes it possible for attackers to surreptitiously monitor data received by vulnerable devices.

The research team, from the Ruhr University Bochum in Germany, is among the first to analyze the secret encryption algorithms implemented by the European Telecommunications Standards Institute. After reverse engineering phones that use the GMR-1 and GMR-2 standards, the team discovered serious cryptographic weaknesses that allow attackers using a modest PC running open-source software to recover protected communications in less than an hour.

The findings, laid out in a paper (PDF) to be presented at the IEEE Symposium on Security and Privacy 2012, are the latest to poke holes in proprietary encryption algorithms. Unlike standard algorithms such as AES and Blowfish—which have been subjected to decades of scrutiny from some of the world's foremost cryptographers—these secret encryption schemes often rely more on obscurity than mathematical soundness and peer review to rebuff attacks.

"Contrary to the practice recommended in modern security engineering, both standards rely on proprietary algorithms for (voice) encryption," the researchers wrote in the paper. "Even though it is impossible for outsiders (like us) to decide whether this is due to historic developments or because secret algorithms were believed to provide a higher level of 'security,' the findings of our work are not encouraging from a security point of view."

The GMR-1 standard uses an algorithm that closely resembles the proprietary A5/2 cipher once employed by cellphones based on GSM, or Global System for Mobile Communications. A5/2 was dropped in 2006 after cryptographers exposed weaknesses that made it possible for attackers with modest hardware to crack the cipher in almost real time.

The problem with a5-gmr, as the cipher in GMR-1 is known, is that its output gives adversaries important clues about the secret key used to encrypt communications, Benedikt Driessen, a Ph.D. student who co-authored the paper, told Ars. By making a series of educated guesses based on a small sample of the ciphertext, attackers can quickly deduce the key needed to unscramble the protected data.

"If the guess is correct and given enough equations, the equations can be solved to reveal the encryption key," Driessen said.

He also faulted the algorithm for performing what's known as clocking separately and generating output equations with a low algebraic degree, flaws that also diminish security.

a5-gmr-2, the cipher used in GMR-2 phones, is also vulnerable to cracking when adversaries know a small sample of the data before it was encrypted. Because data sent over phone networks contains headers and other predictable content, it is possible for attackers to exploit the weakness.

Phones under attack

It's tempting for critics of the satphone standards to seize on the security-through-obscurity approach, which relies on the lack of documentation to prevent attacks. But in fairness to the engineers who designed it, the approach hasn't completely failed. The new crack works only on the data sent from a satellite to a phone, making it possible to retrieve data from only one end of a conversation. What's more, researchers have yet to reverse engineer the audio codecs used by the standards, so eavesdropping on voice conversations isn't yet possible.

"Our claim is, (a) we can decrypt and the codec will be revealed shortly which allows full eavesdropping and (b) we can apply the attack to different channels (fax, SMS) for which we don't even need a codec," Driessen said. Satphones "are vulnerable because the protection-layer is worthless."

Over the past couple of years, cryptographers have gradually whittled away at many of the algorithms protecting data sent by phones. Standards including GSM, DECT (Digital Enhanced Cordless Telecommunications), and GPRS (General Packet Radio Service) have all been targeted. Devices that are vulnerable to the latest attacks include the Thuraya So-2510 and the Inmarsat IsatPhone Pro.

The secret algorithms were analyzed by downloading publicly available firmware used by the phones, disassembling the code, and using some clever techniques to isolate the ciphers. The analysis techniques may prove valuable in exposing weaknesses in other encryption schemes as well.

Note: The original opening image for this story has been updated to reflect reader concerns.

47 Reader Comments

Not quite sure what the soldier picture has to do with this article, since they certainly don't rely on the phone itself to encrypt vital communications... Otherwise, pretty nifty article. Makes me want to look into mobile voice algorithms a bit more.

The image of the soldier above is inaccurate. Although it doesn't actually show the radio he's using, by the style of the handset and antenna we can be certain he's using a UHF-band TACSAT radio such as a Harris multiband or Raytheon PSC-5x. This type of communications is encrypted by NSA Type-1 Suite A cryptographic architecture, which is certified for transmission of information up to and including TOP SECRET.

For those of us whose lives often depend on the security of our tactical communications, note that the article does not refer to the failure of any NSA standard architecture.

Heading the article with this inaccurate image is irresponsible on the part of the Ars editors.

Instead, the article probably refers to standards employed by Iridium, INMARSAT, or other commercial carriers. The US military does not use these commercial services for tactical or strategic comms.

The Soldier has nothing to do with the story. He is using a SatComm radio and consulting what looks to be a Garmin GPS unit. The US military does not rely on standard carrier encryption and has an add-on capability that makes a handset to handset unique key call. Dan, thanks for the great crypto write up but the picture is a bit misleading...

So two people have as their only post a complaint that the picture is inaccurate/irresponsible. It's just the picture. Big deal.

I'm a civilian wireless communications engineer who works for the US Army, which is the only reason the picture caught my eye to begin with. 90% of Army users are semi-technical radio operators who don't understand the encryption or encoding concepts discussed in this article. I wouldn't want any soldier to read this article and think their comm equipment is compromised, as the image suggests. That's where the irresponsibility comes in.

I wouldn't want any soldier to read this article and think their comm equipment is compromised, as the image suggests. That's where the irresponsibility comes in.

If they actually read the article, they'll understand, like anyone reading it, that the protocol concerned is the one "implemented by the European Telecommunications Standards Institute" which pretty much prevents any kind of military involvement.

I agree that the picture is slightly misleading but I would hardly call it irresponsible.

So two people have as their only post a complaint that the picture is inaccurate/irresponsible. It's just the picture. Big deal.

I've got to agree with others. Especially with the huge size of the image, it creates a first impression that even if the article explicitly stated otherwise would be hard to shake.The article doesn't explicitly state otherwise, leaving it to the reader whether there's something they were trying to imply. Why such a huge image if it's only there to dress up the article?

The other interpretation of the large army guy photo is that the crack is being USED by the army to spy on the enemy. IIRC, that was a major plot point in Clear and Present Danger (the book, I never saw the film so don't know if that was included).

If it's the case that no military communications have been cracked here, then I agree that that picture should be pulled. It's misleading, and potentially dangerous.

Not knowing where this algorithm is used, knowing that soldiers use satphones, and seeing this picture associated with the article, I assumed that this was a hack of military signals. I suspect most soldiers probably don't even have my limited knowledge in this area, so I think many of them would draw the same conclusion. The last thing you want is a bunch of soldiers who incorrectly think that their communication systems aren't safe.

The image of the soldier above is inaccurate. Although it doesn't actually show the radio he's using, by the style of the handset and antenna we can be certain he's using a UHF-band TACSAT radio such as a Harris multiband or Raytheon PSC-5x. This type of communications is encrypted by NSA Type-1 Suite A cryptographic architecture, which is certified for transmission of information up to and including TOP SECRET.

For those of us whose lives often depend on the security of our tactical communications, note that the article does not refer to the failure of any NSA standard architecture.

Heading the article with this inaccurate image is irresponsible on the part of the Ars editors.

Instead, the article probably refers to standards employed by Iridium, INMARSAT, or other commercial carriers. The US military does not use these commercial services for tactical or strategic comms.

My main question after reading the article was "So, does this mean the Military is using this stuff?" Thanks for clarifying in the comments but would be nice to update the image and clarify in the article.

The Satellite to Phone is the direction which is easiest to intercept. Each beam from the Sat covers huge area's of land and anyone in that beam's area can receive the signal. The only protection that signal has is the encryption. I suspect the researches only focused on this direction because a crack has far greater potential consequences.

* I also agree the picture is misleading and not at all related to this article. Not the usual Ars standard.

Also, this wasn't a failure of 'security through obscurity' (a loaded phrase if ever there was one), it was a failure of a weak algorithm. In fact, that it was secret in nature has likely meant that it has been uncracked for /longer/ than if this algorithm was known and out in the open.

Wow, whats up with people hating on the picture? They put pictures up all the time, sometimes shopped and get congratulated on how good it is. Instead people should make less assumptions or learn to search and verify the assumptions they do make. Stop feeling the need to be spoon fed. If you have questions about the article, figure them out.

a) I read the article, not look at the pictures. The main headline mentions no reference to military, no does the content. After digesting the article, it was clear and apparent that it was related to consumer telephones, not military.

b) To claim that the picture is misleading is an insult to the readership of Ars, whom I am certain have the intelligence to actually do what I did in point (a).

c) The use of the picture is a matter of subjective. As already pointed out, it could be the military doing the spying, something I am quite sure that is within their remit in operations abroad.

So to those people criticizing the image, do not jump to conclusions that the rest of us jump to the same conclusions as you, or even jump to conclusions at all.

While not directly exposed until now, the weaknesses of satellite phones are well known. They used to be used extensively by terrorists until they realized that we were listening in on what they thought were secure devices. Now even a man hiding in a cave knows not to talk on a satellite phone.

Also, this wasn't a failure of 'security through obscurity' (a loaded phrase if ever there was one), it was a failure of a weak algorithm.

If they hadn't kept the algorithm secret it would have been shown to be weak before it was widely deployed. Problems with A5/2 have been known since literally the very month it was first published. The fact that they tried to fix it in GMR with a secret band-aid patch rather than engaging the security community is exactly what the problem is.

Quote:

In fact, that it was secret in nature has likely meant that it has been uncracked for /longer/ than if this algorithm was known and out in the open.

You don't know that. You just know that the "good" guys have been in the dark for longer.

a) I read the article, not look at the pictures. The main headline mentions no reference to military, no does the content. After digesting the article, it was clear and apparent that it was related to consumer telephones, not military.

My issue is this: The combination of headline and picture together gives the impression it might be military. The summary text on the front page also doesn't help:

Ars wrote:

Cryptographers have analyzed the once-secret algorithms protecting satellite phones. What they found isn't pretty.

I don't want to see the army's communications cracked, but I'm sure as hell going to read an article that might be about it. While reading the article I realise I've been mislead by the picture.

I accept a large part of journalism is getting people to read your stuff, and creative headlines and pictures are great. However I don't find this picture creative and it's not an obvious parody. To me it is just misleading and I expect better from Ars.

Wow, whats up with people hating on the picture? They put pictures up all the time, sometimes shopped and get congratulated on how good it is. Instead people should make less assumptions or learn to search and verify the assumptions they do make. Stop feeling the need to be spoon fed. If you have questions about the article, figure them out.

To beat the horse:IT'S HUGE.1. It's annoying to have to scroll a full screen height or more to get past a picture that has nothing to do with the article.2. Because it's HUGE, it creates a contextual issue, requiring you to read the whole article before realizing the picture is not related to the article. 3. Because it is HUGE, it forces you to look at it and interact with it. You can't read any of the text of the article (at least on FF on a full 1080 screen) when you open the article. You're confronted with a front page that screams "the military is related to this article". 4. Again, the image is foisted into the context of the article because it is HUGE. 5. It's not only irrelevant to the article, but it's HUGE. 6. Have I mentioned that, if nothing else, it's terrible because it's HUGE? 7. By the way, when an image has nothing to do with the article, making it HUGE probably isn't the best move in the world. 8. Did the art dept even look at it? It's not cropped at all, lacks the personal touch we often laud as you point out, and it's HUGE.

The image of the soldier above is inaccurate. Although it doesn't actually show the radio he's using, by the style of the handset and antenna we can be certain he's using a UHF-band TACSAT radio such as a Harris multiband or Raytheon PSC-5x. This type of communications is encrypted by NSA Type-1 Suite A cryptographic architecture, which is certified for transmission of information up to and including TOP SECRET.

For those of us whose lives often depend on the security of our tactical communications, note that the article does not refer to the failure of any NSA standard architecture.

Heading the article with this inaccurate image is irresponsible on the part of the Ars editors.

Instead, the article probably refers to standards employed by Iridium, INMARSAT, or other commercial carriers. The US military does not use these commercial services for tactical or strategic comms.

Actually, seems to me we (the US military) own the birds that Iridium uses, and there are secure sleeves available for use with Iridium phones (I was a USAF 2E1X3 before the 3D merger made me a 3D1X3).

That being said, the NSA does have good standards, overall, though they could do to get on track with SOPs for non-Windows computers. You never realize just how much Apple left out and misused (re: UNIX commands in the terminal) until you have to help write the first shell script for STIG'ing a MAC, because the NSA wrote standards, but provided nothing to help actually implement them.

That being said, the NSA does have good standards, overall, though they could do to get on track with SOPs for non-Windows computers. You never realize just how much Apple left out and misused (re: UNIX commands in the terminal) until you have to help write the first shell script for STIG'ing a MAC, because the NSA wrote standards, but provided nothing to help actually implement them.

What in the world are you talking about? Apple left out UNIX commands? It's fully POSIX compliant. It's also meets the Single UNIX Specification (SUS). They formally had Mac OS X certified by the Open Group as UNIX™.

You may be thinking that the utilities in your favorite linux distro aren't in Mac OS X.

That's because... (wait for it) GNU's not UNIX™.

Your linux distro may be unix-like, but is not UNIX™. On top of that, you may be experiencing some BSD vs System V differences. Solaris is also different. Complain Apple isn't like GNU/Linux if you think their way is worse, but don't complain they aren't UNIX™.

Wow, whats up with people hating on the picture? They put pictures up all the time, sometimes shopped and get congratulated on how good it is. Instead people should make less assumptions or learn to search and verify the assumptions they do make. Stop feeling the need to be spoon fed. If you have questions about the article, figure them out.

Generally, the picture is expected to support the text. If you'll notice, even Aurich's fantastic Photoshopped jobs manage to do that. If it were otherwise, then you may as well put up a picture of a cat playing with a ball of string or something for every article. So since readers expect the picture to support the article, one of two things will generally happen, using this article as an example: 1) since the article text doesn't specifically reference the situation in the picture, the readership is left to conclude that the picture (since it is assumed to support the text) is factually relevant to the article and US .mil satellite phones are at risk for eavesdropping. 2) Since the article text and picture don't explicitly or implicitly support each other, a cognitive dissonance is created, confusing the reader as to the relevance of either the picture, the article, or both. Neither scenario is good for informing and educating your readership.

That being said, the NSA does have good standards, overall, though they could do to get on track with SOPs for non-Windows computers. You never realize just how much Apple left out and misused (re: UNIX commands in the terminal) until you have to help write the first shell script for STIG'ing a MAC, because the NSA wrote standards, but provided nothing to help actually implement them.

What in the world are you talking about? Apple left out UNIX commands? It's fully POSIX compliant. It's also meets the Single UNIX Specification (SUS). They formally had Mac OS X certified by the Open Group as UNIX™.

You may be thinking that the utilities in your favorite linux distro aren't in Mac OS X.

That's because... (wait for it) GNU's not UNIX™.

Your linux distro may be unix-like, but is not UNIX™. On top of that, you may be experiencing some BSD vs System V differences. Solaris is also different. Complain Apple isn't like GNU/Linux if you think their way is worse, but don't complain they aren't UNIX™.

Several standard terminal commands were either missing or the syntax modified in MacOS 10.6 compared to what I and the contractor I was working with( who has more UNIX and power-user w/ Mac experience than I), were familiar with. We were able to figure things out, but a handful of the commands we needed most certainly did not work per normal, and in a couple cases were missing (even a couple that what little info the NSA's guidelines mentioned). I honestly can't remember which specific commands, or how the syntax was modified, it was the only time I really dug into Mac to that level, and I've never had occasion to since, so I've braindumped most of it except the nature of the complications we ran into.

And yes, I'm quite familiar with the fact that Linux is UNIX-like but not UNIX. I kind of have to understand that distinction when explaining that Mac is in fact a UNIX operating system, to that flavor of Machead that hates any implication that anything and everything from Apple wasn't invented in a vacuum by The Almighty Jobs himself (note: not saying all Macheads are like this, I'm referring to that specific flavor of Machead).

Instead, the article probably refers to standards employed by Iridium, INMARSAT, or other commercial carriers. The US military does not use these commercial services for tactical or strategic comms.

They're not supposed to use commercial services for tactical comms, but I've talked with plenty of servicemen back from Afghanistan who had to use their satphone at one time or another, because the military comms were down.

Also, this wasn't a failure of 'security through obscurity' (a loaded phrase if ever there was one), it was a failure of a weak algorithm. In fact, that it was secret in nature has likely meant that it has been uncracked for /longer/ than if this algorithm was known and out in the open.

The ONLY way to even come close to a guarantee of security is through very extensive, widespread peer-review of an algorithm. The mathematics behind crypto algorithms are too complicated for any individual or company to get right themselves; that's why the most secure algorithms are also the most open (AES and SHA-256 come to mind).

Hell, for the DES block cipher which uses an otherwise Feistel network at its core, there's a proof of concept attack that decreases the attack time rather substantially from an exhaustive key search merely by relying on a single S-box that has somewhat more linear behavior than the other S-boxes. Mind, this is an otherwise flawlessly designed block cipher, but this tiny error introduced a lot of insecurity.

I saw a headline about cracked satellite phones. I saw a picture of a US solider using some kind of communication device. I assumed the crack was related to technology used by the US military. I read the whole article and there was no mention of military implications. I left the article confused - why is there a military picture? Did I miss the military reference? Was I supposed to connect the dots myself?

Then it dawns on me - I got tricked into reading an article I thought was about compromised military communications. Come on Ars, you're better than this.

It seems pretty clear to me that whomever picked the photo for this article was either utterly clueless about military cryptography, or has a bias against the military and couldn't resist taking a shot at this institution. It isn't like there's a lack of alternative "satphone" images on Google for inspiration. For example:

Hmmm.... notice the complete lack of pictures of soldiers using military crypto phones. Oh, wait, there is one soldier, way down the page that's holding an Iridium phone. Sorry. My mistake. That totally guts my argument.

The image of the soldier above is inaccurate. Although it doesn't actually show the radio he's using, by the style of the handset and antenna we can be certain he's using a UHF-band TACSAT radio such as a Harris multiband or Raytheon PSC-5x. This type of communications is encrypted by NSA Type-1 Suite A cryptographic architecture, which is certified for transmission of information up to and including TOP SECRET.

For those of us whose lives often depend on the security of our tactical communications, note that the article does not refer to the failure of any NSA standard architecture.

Heading the article with this inaccurate image is irresponsible on the part of the Ars editors.

Instead, the article probably refers to standards employed by Iridium, INMARSAT, or other commercial carriers. The US military does not use these commercial services for tactical or strategic comms.

I think the picture should stay.

So far it has given me additional information such as the fact that our soldiers use a UHF-band TACSAT radio, probably a Harris multiband or Raytheon PSC-5x. Then I found out what the encryption suite was NSA Type-1 Suite A cryptographic architecture, which is certified for transmission of information up to and including TOP SECRET.

It seems pretty clear to me that whomever picked the photo for this article was either utterly clueless about military cryptography, or has a bias against the military and couldn't resist taking a shot at this institution. It isn't like there's a lack of alternative "satphone" images on Google for inspiration.

I think most people reacting to the picture in this article are overly sensitive about the military in general and the US military in particular. Incidentally reading their posts it seems like most of them have a direct relation to the military.

As someone with no military connection and no particular military interest, the picture hardly confused me. In fact, I barely noticed it at all and had to go back and look at it after reading the comments to see that yes, it was actually a US soldier (all soldiers tend to look the same to the untrained eye) which might indeed have been misleading.

So my advice would be: chill out guys, the whole world is not actually out to get you, so relax, it’s just a picture in an otherwise totally innocent article….

The other interpretation of the large army guy photo is that the crack is being USED by the army to spy on the enemy. IIRC, that was a major plot point in Clear and Present Danger (the book, I never saw the film so don't know if that was included).

Not quite. In the book a satellite was being used to spy on cellular communications. Clancy didn't use private satphones until Debt of Honor where the retired coastguard officer and his business man charter used one to spy on the Japanese who invaded Guam.